From owner-freebsd-hackers  Wed Nov 19 11:16:26 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id LAA13538
          for hackers-outgoing; Wed, 19 Nov 1997 11:16:26 -0800 (PST)
          (envelope-from owner-freebsd-hackers)
Received: from ccsales.ccsales.com (ccsales.ccsales.com [207.137.172.4])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id LAA13529;
          Wed, 19 Nov 1997 11:16:20 -0800 (PST)
          (envelope-from randyk@ccsales.com)
Date: Wed, 19 Nov 1997 11:20:39 -0800 (PST)
From: Randy Katz <randyk@ccsales.com>
To: WUSTL ListProc <wu-ftpd@wugate.wustl.edu>
cc: hackers@freebsd.org
Subject: strange things...HELP!!!
In-Reply-To: <Pine.LNX.3.96.971119085547.20861C-100000@ns1.fni.com>
Message-ID: <Pine.BSF.3.91.971119111532.26571A-100000@ccsales.ccsales.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Hello,

I tried to find out how this hacker is doing it on an ISP list and they 
said I was a hacker...HELP!!!

The hacker ftp's into our server as a valid user (we will cancel him as 
soon as we know how to keep him out). Hacker copies /etc/master.passwd to 
his home directory. Hacker modified master.passwd. Hacker copies it back 
to /etc/master.passwd.

How is he doing this?

He does it fast (1 min. max). /etc/master.passwd is root/wheel 600. The 
hacker's account is not grouped under wheel. /etc/ is root/wheel 755. Is 
there something I'm doing wrong???

He can do it on any machine in our network. Don't try ccsales.com it's an 
old 2.1.0 FreeBSD box which I just use for personal mail.

He has hacked it on FreeBSD 2.2.2 running wu-ftpd (BETA-13,14 & 15). 

HELP!!!

Thanx,
Randy Katz